Skip to content

Fix use-after-free of enum type id in Function::set_int_display_type#8249

Open
ChrisKader wants to merge 1 commit into
Vector35:devfrom
ChrisKader:fix/set-int-display-type-uaf
Open

Fix use-after-free of enum type id in Function::set_int_display_type#8249
ChrisKader wants to merge 1 commit into
Vector35:devfrom
ChrisKader:fix/set-int-display-type-uaf

Conversation

@ChrisKader
Copy link
Copy Markdown

@ChrisKader ChrisKader commented Jun 6, 2026

Summary

Function::set_int_display_type converts the optional enumeration type id to an owned CString, then moves it into a map closure to take its pointer:

let enum_display_typeid = enum_display_typeid.map(IntoCStr::to_cstr);
let enum_display_typeid_ptr = enum_display_typeid
    .map(|x| x.as_ptr())            // moves the CString in, takes a pointer, then drops it
    .unwrap_or(std::ptr::null());
unsafe { BNSetIntegerConstantDisplayType(..., enum_display_typeid_ptr) }

The owned CString is dropped at the end of that closure, before the FFI call uses its pointer, so BNSetIntegerConstantDisplayType reads freed memory and stores a garbage type id.

Impact

Setting an integer operand to EnumerationDisplayType with a type id never resolves to the intended enumeration — the operand renders as a raw constant instead of the enumeration member. Confirmed by reading back the stored type id (garbage bytes) and by the operand failing to render the enum until this fix, after which it renders correctly.

Fix

Borrow the owned CString with .as_ref() so it lives until after the FFI call.

@ChrisKader
Fix use-after-free of enum type id in set_int_display_type
8a5b6d2 
`set_int_display_type` converted the optional enumeration type id to an owned
C string, then moved it into a closure to take its pointer. The C string was
dropped at the end of that closure, before `BNSetIntegerConstantDisplayType`
ran, so the FFI call read freed memory and stored a garbage type id for the
enumeration display. As a result an integer operand set to
EnumerationDisplayType never resolved to its enumeration and rendered as a
raw constant. Borrow the owned C string instead so it outlives the call.
@ChrisKader ChrisKader mentioned this pull request Jun 6, 2026
Open
@bdash bdash requested a review from emesare June 6, 2026 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emesare emesare Awaiting requested review from emesare

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ChrisKader